CVE-2021-21803

Vulnerability

The vulnerability exists in the device_graph_page.php script of Advantech R-SeeNet version 2.4.12 (20.10.2020). The graph parameter is taken directly from user input via $_GET['graph'] and embedded into an HTML `` tag without sanitization, leading to reflected cross-site scripting (XSS) [1].

Exploitation

An attacker can craft a malicious URL containing a JavaScript payload in the graph parameter, such as ?graph=%22zlo%20onerror=alert(1)%20%22. If a victim visits this URL, the payload executes in the context of the victim's browser. No authentication or special privileges are required; only user interaction (clicking the link) is needed [1].

Impact

Successful exploitation allows arbitrary JavaScript execution in the victim's browser, potentially leading to session hijacking, credential theft, or other client-side attacks. The CVSSv3 score is 9.6 (Critical) due to network attack vector, low complexity, no privileges required, user interaction, and changed scope [1].

Mitigation

No fixed version is disclosed in the available reference. Users should restrict access to the R-SeeNet web interface to trusted networks and consider upgrading if a patched version becomes available. As of the publication date, no workaround is provided [1].